When the Supreme Court decided Van Buren v. United States last summer, many Computer Fraud and Abuse Act experts felt that the decision avoided the worst interpretations of the CFAA, while consciously leaving most of its practical applications for lower courts to decide later. Sixteen months later, we’re starting to see those practical applications get decided.
Unlike most CFAA cases, RyanAir DAC v. Booking Holdings, 2022 WL 13946243 (D. Del. Oct. 24, 2022), presents a fact-pattern that just about anyone can understand. Booking Holdings is the parent company for Kayak.com, Priceline, Booking.com, and other prominent online travel agents (“OTAs”). It is the largest OTA in the world.
Ryanair is Europe’s largest discount airline. Its business model is to sell highly discounted flights at, near, or below cost and then to make additional profits by selling ancillary services such as food, drinks, rental cars, hotels, and insurance on their site and on their flights. But much of this business model is contingent on being able to sell flights directly through Ryanair’s site to control the market for ancillary services.
Ryanair has a long history of litigating against OTAs in Europe and the United States. It has previously litigated against OTAs in Spain, France, Ireland, and Switzerland, with mixed results. It previously litigated against Expedia in Washington.
The facts of the case are relatively simple, with a couple of twists. Booking Holdings is the parent company of multiple OTAs that publish fare data and sell Ryanair flights in purported violation of Ryanair’s terms of service. As usual in these types of cases, Ryanair sent cease-and-desist letters to Booking telling it to stop. Needless to say, it didn’t stop. When Booking didn’t stop, Ryanair sued for five different violations of the CFAA.
One twist is that Ryanair cannot sue Booking in the United States for breach of its terms of service, because Ryanair’s terms of service are governed by Irish law and require the jurisdiction of Irish courts. Because Ryanair cannot invoke its terms of service in the United States, it must resort to unique causes of action for which there is not a comparable remedy in Ireland. In this instance, the CFAA.
The other twist is that Booking did not scrape or access Ryanair’s data directly from Ryanair’s site. Rather, it hired a few different third-party sites to collect the data and provide it to them. Booking was hoping this might forestall any CFAA liability. According to Booking’s briefing for this motion, the CFAA is fundamentally a computer access statute. Without access, there can be no violation of the CFAA.
With that background, Booking filed a motion to dismiss the CFAA claims based on two primary arguments: 1) Booking is using publicly available data obtained from a third party to sell Ryanair flights. Based on the holdings of Van Buren and hiQ Labs II, this conduct does not trigger CFAA liability; 2) Even if this conduct were sufficient to trigger direct CFAA liability, the CFAA does not provide for vicarious liability.
The District Court of Delaware mostly denied Booking’s motion to dismiss.
With respect to the “publicly available data” argument, the court decided that these facts were more akin to the facts of Power Ventures than those of hiQ Labs. Power Ventures was a 2016 case involving Facebook (back when the company itself was still known as Facebook). Power Ventures was a platform that attempted to enable users to manage all their social media accounts from one platform. To do so, they had to take users’ log-in credentials on the various platforms and collect users’ data from those platforms to aggregate it within the Power Ventures platform.
The CFAA is an anti-hacking statute; password sharing isn’t hacking. Indeed, this would seem to contradict the (needlessly opaque) instructions from the text of Van Buren itself, which said, “[a]n interpretation that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible [interpretation of the CFAA].” Van Buren at 20.
That said, hiQ Labs I and hiQ Labs II both distinguished Power Ventures; those cases did not repudiate it. And so the Delaware court found it dispositive here.
If you want to buy a ticket on Ryanair, you must create an account with a username and password. According to Power Ventures in the Ninth Circuit and now this case in Delaware, that step likely allows you to invoke the CFAA against a third party for violating your terms of service and for continuing to access a website after receiving a cease-and-desist letter—even though the exact same conduct in the absence of a username and password “risks the possible creation of information monopolies that would disserve the public interest.” hiQ Labs II at 43.
The court was also not persuaded by Booking’s arguments that vicarious liability is unavailable under the CFAA, even though many cases seemed to suggest as much. For example, consider this language from Koninklijke Philips N.V. v. Elec–Tech International Co., Ltd.:
Plaintiffs here make no allegation that either Mr. Wang or Ms. Chan was given Dr. Chen’s password and then ran searches, nor do they allege that either individual Defendant in any way accessed or downloaded information from Lumileds’ network. By the Complaint’s own allegations, none of the CFAA Defendants accessed Lumileds’ information–Dr. Chen did, at a time when he was authorized to download this information. Even if he misappropriated the information, and gave it to the CFAA Defendants, Nosal forecloses a claim against those Defendants under the CFAA because they themselves did not hack Lumileds’ system. Plaintiffs’ argument that Dr. Chen and the CFAA Defendants were essentially “acting as one” for purposes of accessing the files does not save Plaintiffs’ CFAA claim. Rather, it shows that this case is factually quite similar to Nosal: it is alleged that outsiders convinced an insider to access information the insider was authorized to access, then hand that information over to the outsiders. While such allegations could possibly state a claim for misappropriation, they cannot state a claim under the CFAA after Nosal. Reading the CFAA in its context as an anti-hacking statute, “access” means something more than persuading someone to procure information you desire. Instead, as described by the district court in Nosal II, “[t]he common definition of the word ‘access’ encompasses not only the moment of entry, but also the ongoing use of a computer system.” Nosal II, 930 F.Supp.2d 1051, 1063 (N.D. Cal.2013). None of the CFAA Defendants entered or used Lumileds’ network. At most, they encouraged Dr. Chen to do so, and stood to benefit from the alleged misappropriation. This action may give rise to a number of claims, but it does not support a theory of liability under the CFAA. (emphasis mine)
Koninklijke Philips N.V. v. Elec–Tech International Co., Ltd. 2015 WL 1289984 at 4 (N.D. Cal. March 20, 2015).
It wasn’t a total loss for Booking, though. It scored a minor victory when the judge granted its motion to dismiss with respect to RyanAir’s Section 1030(a)(5) allegations, which prohibits “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.”
For me, any CFAA decision that makes it illegal to aggregate price information that anyone can access online is a bad one. Price comparison services benefit everyone except for companies looking to obfuscate prices and eliminate competition. Every human being—including the executives of Booking Holdings—can go to Ryanair’s web site today and look at how much it costs to fly from Dublin to Barcelona (or Girona, since Ryanair is too cheap to fly directly to Barcelona). According to Van Buren, “[CFAA] liability  stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” Ryanair permits anyone to view its price and flight data. Everyone can access the system—except those whose technology and services threaten their business model.
I understand why Ryanair wants to control or redirect traffic to its site. Every for-profit company is in the business of making money. I just don’t think that a federal anti-hacking statute should be the legal mechanism that allows them to do that. There are a panoply of state-law claims that have been litigated in similar cases with similar facts. And however that might play out in state or federal court would depend on the nuances of the relevant state, federal, and international legal precedents. But to make this a CFAA issue just seems wrong to me.
This decision allows Ryanair to selectively invoke the CFAA against a company that harms its business model for the mere act of harming its business model. That’s not what the statute is designed to prevent. But that is precisely what courts are allowing it to be used for.